CN105808256B - It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection - Google Patents

It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection Download PDF

Info

Publication number
CN105808256B
CN105808256B CN201610128818.0A CN201610128818A CN105808256B CN 105808256 B CN105808256 B CN 105808256B CN 201610128818 A CN201610128818 A CN 201610128818A CN 105808256 B CN105808256 B CN 105808256B
Authority
CN
China
Prior art keywords
stack
function
address
createdeviceex
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610128818.0A
Other languages
Chinese (zh)
Other versions
CN105808256A (en
Inventor
周志刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Douyu Network Technology Co Ltd
Original Assignee
Wuhan Douyu Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Douyu Network Technology Co Ltd filed Critical Wuhan Douyu Network Technology Co Ltd
Priority to CN201610128818.0A priority Critical patent/CN105808256B/en
Publication of CN105808256A publication Critical patent/CN105808256A/en
Application granted granted Critical
Publication of CN105808256B publication Critical patent/CN105808256B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/31Programming languages or programming paradigms

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Executing Machine-Instructions (AREA)

Abstract

本发明公开了一种构造合法堆栈返回值绕过函数调用检测的方法,包括:构造递归调用往堆栈中多次压入进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,其中压入地址的次数大于或等于堆栈检测调用的层数;在往堆栈中多次压入上述地址后,构造系统函数CreateDeviceEx需要的参数并压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx。通过构造一个递归调用往堆栈中多次压入进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,从而在堆栈中压入超过堆栈检测调用层数的合法地址,从而在游戏开发商对调用CreateDeviceEx函数的调用者进行检查时能够通过合法性验证,从而保证直播的正常进行。

The invention discloses a method for constructing a legal stack return value to bypass function call detection, comprising: constructing any two consecutive assembly instruction sequences in the code segment of the d3d9. pop ebp, retn addresses, where the number of times the address is pushed is greater than or equal to the number of stack detection calls; after pushing the above address into the stack for many times, construct the parameters required by the system function CreateDeviceEx and push them into the stack, and then go to the stack After pressing the above address again, jump to the system function CreateDeviceEx. By constructing a recursive call to push the address of any two consecutive assembly instruction sequences pop ebp, retn in the code segment of the d3d9. The legal address, so that when the game developer checks the caller of the CreateDeviceEx function, it can pass the legality verification, so as to ensure the normal progress of the live broadcast.

Description

一种构造合法堆栈返回值绕过函数调用检测的方法与系统A method and system for constructing a legal stack return value to bypass function call detection

技术领域technical field

本发明属于计算机开发技术领域,更具体地,涉及一种构造合法堆栈返回值绕过函数调用检测的方法与系统。The invention belongs to the technical field of computer development, and more specifically relates to a method and system for constructing a legal stack return value to bypass function call detection.

背景技术Background technique

目前,直播软件在直播时都可以预览到直播的内容,获取直播的显示内容都是通过注入一个动态链接库到游戏进程中,注入的动态链接库会hook进程中的d3d9.dll的Present函数来获取显卡的显示内容,为了获取到Present函数的地址,则需要先获取到IDirect3DDevice9Ex的指针,从该指针中获取函数地址,而该指针则可以通过调用CreateDeviceEx函数来获取。但是由于目前很多“外挂”会调用该函数来实现某些“外挂”功能,所以导致游戏开发商会对调用该函数的调用者进行检查,如果不是游戏自身的调用则会判断是“外挂”在调用,从而进行处罚。对于如何检测是谁调用了某函数,则可以利用intel x86的函数调用机制,在函数调用时会使用扩展基址指针寄存器(extended basepointer,EBP)和堆栈栈顶寄存器(Extended Stack Pointer,ESP)来保存当前堆栈的栈底地址和栈顶地址。而栈底地址存放着调用此函数的返回地址。由此,通过不断的回朔EBP寄存器来获取函数调用的返回地址,就可以获取到调用这个函数的整个调用链,从而可以区分出是否是合法的调用地址。At present, the live broadcast software can preview the live broadcast content during the live broadcast. The display content of the live broadcast is obtained by injecting a dynamic link library into the game process. The injected dynamic link library will hook the Present function of d3d9.dll in the process. To obtain the display content of the graphics card, in order to obtain the address of the Present function, you need to obtain the pointer of IDirect3DDevice9Ex first, and obtain the function address from the pointer, and the pointer can be obtained by calling the CreateDeviceEx function. However, because many "plug-ins" currently call this function to achieve certain "plug-in" functions, game developers will check the caller who calls this function. If it is not called by the game itself, it will be judged that the "plug-in" is calling , thereby punishing. For how to detect who called a certain function, you can use the function call mechanism of intel x86, which will use the extended base pointer register (extended basepointer, EBP) and the stack top register (Extended Stack Pointer, ESP) when calling the function. Store the bottom address and top address of the current stack. The bottom address of the stack stores the return address of calling this function. Therefore, by continuously looking back at the EBP register to obtain the return address of the function call, the entire call chain for calling this function can be obtained, thereby distinguishing whether it is a legal call address.

发明内容Contents of the invention

针对现有技术的以上缺陷或改进需求,本发明提供了一种绕过堆栈检测的方法,此发明通过一段精心构造的汇编代码,通过不断的往堆栈中压入合法的地址来掩盖真实的调用。Aiming at the above defects or improvement needs of the prior art, the present invention provides a method for bypassing stack detection. This invention uses a carefully constructed assembly code to cover up the real call by continuously pushing legal addresses into the stack. .

为实现上述目的,按照本发明的一个方面,提供了一种构造合法堆栈返回值绕过函数调用检测的方法,包括:构造递归调用往堆栈中多次压入进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,其中压入地址的次数大于或等于堆栈检测调用的层数;在往堆栈中多次压入上述地址后,构造系统函数CreateDeviceEx需要的参数并压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx。In order to achieve the above object, according to one aspect of the present invention, a method for constructing a legal stack return value to bypass function call detection is provided, including: constructing a code segment that recursively calls the d3d9.dll module that is repeatedly pushed into the stack The address of any two consecutive assembly instruction sequences pop ebp, retn in which the number of times the address is pushed is greater than or equal to the number of stack detection calls; after pushing the above address into the stack for many times, the construction system function CreateDeviceEx needs parameters and push them into the stack, and push the above addresses into the stack again, then jump to the system function CreateDeviceEx.

在本发明的一个实施例中,往堆栈中压入的地址的获取方式为:在进程的d3d9.dll模块的代码段中查找连续的值为0x5D,0xC3的指令的地址,其中0x5D,0xC3是汇编指令序列pop ebp,retn所对应的16进制。In one embodiment of the present invention, the method of obtaining the address pushed into the stack is: in the code segment of the d3d9. The hexadecimal system corresponding to the assembly instruction sequence pop ebp, retn.

在本发明的一个实施例中,所述构造合法堆栈返回值绕过函数调用检测的方法,具体为:In one embodiment of the present invention, the method for constructing a legal stack return value to bypass function call detection is specifically:

初始化i=n;initialize i = n;

Void func(void)Void func(void)

{{

将进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址压入堆栈;Push the address of any two consecutive assembly instruction sequences pop ebp, retn in the code segment of the d3d9.dll module of the process into the stack;

将i的值减一;Decrement the value of i by one;

如果:i>=0if: i>=0

跳转到func();jump to func();

否则otherwise

构造系统函数CreateDeviceEx需要的参数压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx;Push the parameters required by the construction system function CreateDeviceEx into the stack, and push the above address into the stack again, then jump to the system function CreateDeviceEx;

}}

其中,n为堆栈检测调用的层数。Among them, n is the number of layers called by the stack detection.

在本发明的一个实施例中,所述构造合法堆栈返回值绕过函数调用检测的方法具体为:In one embodiment of the present invention, the method for constructing a legal stack return value to bypass function call detection is specifically:

初始化i=0;init i=0;

Void func(void)Void func(void)

{{

将进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址压入堆栈;Push the address of any two consecutive assembly instruction sequences pop ebp, retn in the code segment of the d3d9.dll module of the process into the stack;

将i的值减一;Decrement the value of i by one;

如果:i<=nif: i<=n

跳转到func();jump to func();

否则otherwise

构造系统函数CreateDeviceEx需要的参数压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx;Push the parameters required by the construction system function CreateDeviceEx into the stack, and push the above address into the stack again, then jump to the system function CreateDeviceEx;

}}

其中,n为堆栈检测调用的层数。Among them, n is the number of layers called by the stack detection.

在本发明的一个实施例中,所述递归调用往堆栈中压入地址的次数大于等于5。In an embodiment of the present invention, the number of times the recursive call pushes addresses into the stack is greater than or equal to 5.

按照本发明的另一方面,还提供了一种构造合法堆栈返回值绕过函数调用检测的系统,包括递归模块、递归跳出模块,其中:According to another aspect of the present invention, there is also provided a system for constructing a legal stack return value to bypass function call detection, including a recursive module and a recursive jump-out module, wherein:

所述递归模块,用于构造递归调用往堆栈中多次压入进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,其中压入地址的次数大于或等于堆栈检测调用的层数;The recursive module is used to construct the addresses of any two consecutive assembly instruction sequences pop ebp and retn in the code segment of the d3d9. Or equal to the number of layers of the stack detection call;

所述递归跳出模块,用于在所述递归模块往堆栈中多次压入上述地址后,构造系统函数CreateDeviceEx需要的参数并压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx。The recursive jump-out module is used to construct the parameters needed by the system function CreateDeviceEx and push the parameters into the stack after the recursive module pushes the above-mentioned address in the stack multiple times, and after pushing the above-mentioned address in the stack again, jump to System function CreateDeviceEx.

在本发明的一个实施例中,往堆栈中压入的地址的获取方式为:在进程的d3d9.dll模块的代码段中查找连续的值为0x5D,0xC3的指令的地址,其中0x5D,0xC3是汇编指令序列pop ebp,retn所对应的16进制。In one embodiment of the present invention, the method of obtaining the address pushed into the stack is: in the code segment of the d3d9. The hexadecimal system corresponding to the assembly instruction sequence pop ebp, retn.

在本发明的一个实施例中,所述系统的具体实现方式为:In one embodiment of the present invention, the specific implementation of the system is:

初始化i=n;initialize i = n;

Void func(void)Void func(void)

{{

将进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址压入堆栈;Push the address of any two consecutive assembly instruction sequences pop ebp, retn in the code segment of the d3d9.dll module of the process into the stack;

将i的值减一;Decrement the value of i by one;

如果:i>=0if: i>=0

跳转到func();jump to func();

否则otherwise

构造系统函数CreateDeviceEx需要的参数压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx;Push the parameters required by the construction system function CreateDeviceEx into the stack, and push the above address into the stack again, then jump to the system function CreateDeviceEx;

}}

其中,n为堆栈检测调用的层数。Among them, n is the number of layers called by the stack detection.

在本发明的一个实施例中,所述系统的具体实现方式为:In one embodiment of the present invention, the specific implementation of the system is:

初始化i=0;init i=0;

Void func(void)Void func(void)

{{

将进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址压入堆栈;Push the address of any two consecutive assembly instruction sequences pop ebp, retn in the code segment of the d3d9.dll module of the process into the stack;

将i的值减一;Decrement the value of i by one;

如果:i<=nif: i<=n

跳转到func();jump to func();

否则otherwise

构造系统函数CreateDeviceEx需要的参数压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx;Push the parameters required by the construction system function CreateDeviceEx into the stack, and push the above address into the stack again, then jump to the system function CreateDeviceEx;

}}

其中,n为堆栈检测调用的层数。Among them, n is the number of layers called by the stack detection.

在本发明的一个实施例中,所述递归调用往堆栈中压入地址的次数大于等于5。In an embodiment of the present invention, the number of times the recursive call pushes addresses into the stack is greater than or equal to 5.

总体而言,通过本发明所构思的以上技术方案与现有技术相比,通过构造一个递归调用往堆栈中多次压入进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,从而在堆栈中压入超过堆栈检测调用层数的合法地址,从而在游戏开发商对调用CreateDeviceEx函数的调用者进行检查时能够通过合法性验证,从而保证直播的正常进行。Generally speaking, compared with the prior art, the above technical scheme conceived by the present invention, by constructing a recursive call, any two consecutive assembly instructions in the code segment of the d3d9. Sequence the address of pop ebp, retn, so that the legal address exceeding the number of stack detection call layers is pushed into the stack, so that the game developer can pass the legality verification when the caller who calls the CreateDeviceEx function is checked, so as to ensure the normality of the live broadcast conduct.

附图说明Description of drawings

图1是本发明构造合法堆栈返回值绕过函数调用检测的方法示意图;Fig. 1 is a schematic diagram of a method for constructing a legal stack return value to bypass function call detection in the present invention;

图2是本发明构造合法堆栈返回值绕过函数调用检测的系统结构图。Fig. 2 is a system structure diagram for constructing a legal stack return value to bypass function call detection in the present invention.

具体实施方式detailed description

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。此外,下面所描述的本发明各个实施方式中所涉及到的技术特征只要彼此之间未构成冲突就可以相互组合。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention. In addition, the technical features involved in the various embodiments of the present invention described below can be combined with each other as long as they do not constitute a conflict with each other.

如图1所示,本发明提供了一种构造合法堆栈返回值绕过函数调用检测的方法,包括:构造递归调用往堆栈中多次压入进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,其中压入地址的次数大于或等于堆栈检测调用的层数;在往堆栈中多次压入上述地址后,构造系统函数CreateDeviceEx需要的参数并压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx。As shown in Figure 1, the present invention provides a method for constructing a legal stack return value to bypass function call detection, including: constructing any one of the code segments of the d3d9. The addresses of two consecutive assembly instruction sequences pop ebp, retn, and the number of times the address is pushed is greater than or equal to the number of layers called by the stack detection; after pushing the above address into the stack for many times, construct the parameters required by the system function CreateDeviceEx and press After pushing the above address into the stack again, jump to the system function CreateDeviceEx.

在本发明实施例中,本发明技术方案的具体实现方式为:In the embodiment of the present invention, the specific implementation of the technical solution of the present invention is as follows:

步骤一:查找进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列popebp,retn的地址。Step 1: Find the addresses of any two consecutive assembly instruction sequences popebp and retn in the code segment of the d3d9.dll module of the process.

在进程的d3d9.dll模块的代码段中查找汇编指令序列pop ebp,retn对应的16进制就是0x5D,0xC3所以只需要在d3d9.dll模块的代码段中查找连续的值为0x5D,0xC3的指令的地址即可。In the code segment of the d3d9.dll module of the process, search for the assembly instruction sequence pop ebp, and the hexadecimal value corresponding to retn is 0x5D, 0xC3, so you only need to search for consecutive instructions with the value 0x5D, 0xC3 in the code segment of the d3d9.dll module address.

对于上述两条汇编指令序列pop ebp,retn,其中pop ebp是用于将堆栈中的值弹出到寄存器EBP中;retn是返回指令,用于从堆栈中弹出返回地址。该2条汇编指令就可以实现从一段代码返回到调用该代码的指令的下一条指令地址处。该2条汇编代码如果直接写在开发者设计的函数中则在堆栈回朔的时候就能回朔到此调用点,如此便会被系统判断为非法调用。如果该2条汇编代码的地址是从d3d9.dll合法模块中获取到的,则起到了隐藏真实调用地址的效果,从而不会被判断为非法调用。而在d3d9.dll模块中,该2条指令很容易的就能从函数的结尾处获取到,所以本发明就是从d3d9.dll动态链接库的代码段中寻找有连续2条指令是(pop ebp;retn)(寻找方法则是通过对比汇编指令的16进制值进行比较)的地址。执行此段汇编代码就能够返回到上层函数调用,因此通过使用此地址就可以绕过堆栈检测了。For the above two assembly instruction sequences pop ebp, retn, where pop ebp is used to pop the value in the stack to the register EBP; retn is a return instruction, used to pop the return address from the stack. The two assembly instructions can realize returning from a piece of code to the next instruction address of the instruction calling the code. If the two pieces of assembly code are directly written in the function designed by the developer, the calling point can be traced back when the stack is retrieved, so it will be judged as an illegal call by the system. If the addresses of the two assembly codes are obtained from the legal module of d3d9.dll, it will have the effect of hiding the real call address, so that it will not be judged as an illegal call. In the d3d9.dll module, these 2 instructions can be obtained from the end of the function easily, so the present invention is to find 2 consecutive instructions from the code segment of the d3d9.dll dynamic link library to be (pop ebp ; retn) (finding method is by comparing the hexadecimal value of the assembly instruction) address. Executing this assembly code can return to the upper function call, so by using this address, stack detection can be bypassed.

由于查找进程的d3d9.dll模块的代码段中的汇编指令序列pop ebp,retn的地址是需要一定时间的,所以通常在调用系统CreateDeviceEx函数之前先查找到该地址,从而可以在后续直接在堆栈中压入该地址。当然也可以在每次需要在堆栈中压入该地址时再做查找,但是会因为增加查找时间而降低系统运行效率。Since it takes a certain amount of time to find the address of the assembly instruction sequence pop ebp, retn in the code segment of the d3d9. Press that address. Of course, it is also possible to do a lookup every time the address needs to be pushed into the stack, but it will reduce the operating efficiency of the system because of increased lookup time.

步骤二:构造调用系统CreateDeviceEx的函数Step 2: Construct a function to call the system CreateDeviceEx

该函数用于构造系统CreateDeviceEx函数的参数,然后往堆栈中压入步骤一所找到的内存地址,并跳转到系统函数CreateDeviceEx。This function is used to construct the parameters of the system CreateDeviceEx function, then push the memory address found in step 1 into the stack, and jump to the system function CreateDeviceEx.

伪代码如下:The pseudo code is as follows:

{{

构造系统函数CreateDeviceEx需要的参数压入堆栈The parameters required by the constructor system function CreateDeviceEx are pushed onto the stack

将步骤一找到的内存地址压入堆栈Push the memory address found in step 1 onto the stack

跳转到系统函数CreateDeviceExJump to the system function CreateDeviceEx

}}

例如可以构造一个汇编函数nakedCallCreateDeviceEx,其能够实现的功能为:构造系统CreateDeviceEx函数的参数,然后往堆栈中压入步骤一所找到的内存地址,并跳转到系统函数CreateDeviceEx。For example, an assembly function nakedCallCreateDeviceEx can be constructed, which can realize the functions of constructing the parameters of the system CreateDeviceEx function, then pushing the memory address found in step 1 into the stack, and jumping to the system function CreateDeviceEx.

步骤三:构造递归调用往堆栈构造合法地址并调用步骤二函数Step 3: Construct a recursive call to construct a legal address on the stack and call the function of step 2

该函数作用是构造递归调用来往堆栈中压入步骤一中得到的地址,递归的出口则是调用步骤二的函数。这样就往堆栈中构造了很多合法调用地址。递归次数需要找到游戏的检测层数,比如是n层,那么构造的合法调用地址则只要是大于或等于n+1层即可。The function of this function is to construct the recursive call to push the address obtained in step 1 into the stack, and the recursive exit is to call the function in step 2. In this way, many legal call addresses are constructed in the stack. The number of recursions needs to find the number of detection layers of the game, for example, if it is n layers, then the legal calling address of the construction only needs to be greater than or equal to n+1 layers.

伪代码使用汇编代码实现如下:The pseudocode is implemented using assembly code as follows:

初始化i=ninitialize i=n

Void func(void)Void func(void)

{{

将步骤一找到的内存地址压入堆栈Push the memory address found in step 1 onto the stack

将i的值减一decrement the value of i by one

如果:i>=0if: i>=0

跳转到func()(实现递归调用)Jump to func() (implement recursive calls)

否则otherwise

跳转到步骤二的函数Jump to the function of step 2

}}

当然也可以是另一种实现方式,为:Of course, it can also be another way of implementation, which is:

所述系统的具体实现方式为:The specific implementation of the system is as follows:

初始化i=0;init i=0;

Void func(void)Void func(void)

{{

将进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址压入堆栈;Push the address of any two consecutive assembly instruction sequences pop ebp, retn in the code segment of the d3d9.dll module of the process into the stack;

将i的值减一;Decrement the value of i by one;

如果:i<=nif: i<=n

跳转到func();jump to func();

否则otherwise

构造系统函数CreateDeviceEx需要的参数压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx;Push the parameters required by the construction system function CreateDeviceEx into the stack, and push the above address into the stack again, then jump to the system function CreateDeviceEx;

}}

例如可以构造一段汇编代码函数nakedCallCreateDeviceExPrev,该函数的功能是设置一个循环,不断的调用本函数,这样会产生很长的调用链,循环的出口则是调用步骤二中提到的函数。由于堆栈检测一般都只会检测5层调用,而上述方法通过一个循环可以产生任意层的调用链,并且每层的调用的返回地址都是合法的地址。For example, a piece of assembly code function nakedCallCreateDeviceExPrev can be constructed. The function of this function is to set a loop and call this function continuously, which will generate a long call chain. The exit of the loop is to call the function mentioned in step 2. Since stack detection generally only detects 5-layer calls, the above method can generate a call chain of any layer through a loop, and the return address of each layer of calls is a legal address.

如图2所示,本发明还提供了一种构造合法堆栈返回值绕过函数调用检测的系统,包括递归模块、递归跳出模块,其中:As shown in Figure 2, the present invention also provides a system for constructing a legal stack return value to bypass function call detection, including a recursive module and a recursive jump-out module, wherein:

所述递归模块,用于构造递归调用往堆栈中多次压入进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,其中压入地址的次数大于或等于堆栈检测调用的层数;The recursive module is used to construct the addresses of any two consecutive assembly instruction sequences pop ebp and retn in the code segment of the d3d9. Or equal to the number of layers of the stack detection call;

所述递归跳出模块,用于在所述递归模块往堆栈中多次压入上述地址后,构造系统函数CreateDeviceEx需要的参数并压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx。The recursive jump-out module is used to construct the parameters needed by the system function CreateDeviceEx and push the parameters into the stack after the recursive module pushes the above-mentioned address in the stack multiple times, and after pushing the above-mentioned address in the stack again, jump to System function CreateDeviceEx.

本领域的技术人员容易理解,以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。Those skilled in the art can easily understand that the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention, All should be included within the protection scope of the present invention.

Claims (4)

1.一种构造合法堆栈返回值绕过函数调用检测的方法,其特征在于,包括:构造递归调用往堆栈中多次压入进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列popebp,retn的地址,其中压入地址的次数大于或等于堆栈检测调用的层数;在往堆栈中多次压入上述地址后,构造系统函数CreateDeviceEx需要的参数并压入堆栈,并往堆栈中再次压入上述地址后,跳转到系统函数CreateDeviceEx;其具体实现步骤为:1. A method for constructing a legal stack return value to bypass function call detection, characterized in that it comprises: constructing any two consecutive compilations in the code segment of the d3d9. The address of the instruction sequence popebp, retn, where the number of times the address is pushed is greater than or equal to the number of stack detection calls; after pushing the above address into the stack for many times, the parameters required by the system function CreateDeviceEx are constructed and pushed into the stack, and then After pushing the above address into the stack again, jump to the system function CreateDeviceEx; the specific implementation steps are: (1)查找进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,其中,在进程的d3d9.dll模块的代码段中查找汇编指令序列pop ebp,retn对应的16进制就是0x5D,0xC3,即d3d9.dll模块的代码段中查找连续的值为0x5D,0xC3的指令的地址,pop ebp是用于将堆栈中的值弹出到寄存器EBP中;retn是返回指令,用于从堆栈中弹出返回地址;(1) Find the address of any two consecutive assembly instruction sequences pop ebp, retn in the code segment of the d3d9.dll module of the process, wherein, search for the assembly instruction sequence pop ebp, retn in the code segment of the d3d9.dll module of the process The hexadecimal value corresponding to retn is 0x5D, 0xC3, that is, in the code segment of the d3d9.dll module, search for the address of the instruction with a continuous value of 0x5D, 0xC3, and pop ebp is used to pop the value in the stack to the register EBP; retn is a return instruction, used to pop the return address from the stack; (2)构造调用系统函数CreateDeviceEx的函数,该函数用于构造系统函数CreateDeviceEx的参数,然后往堆栈中压入步骤(1)所找到的内存地址,并跳转到系统函数CreateDeviceEx;(2) construct the function of calling system function CreateDeviceEx, this function is used for the parameter of constructing system function CreateDeviceEx, pushes the memory address found in step (1) into the stack then, and jumps to system function CreateDeviceEx; (3)构造递归调用函数,该递归调用函数用于构造递归调用来往堆栈中压入步骤(1)中得到的地址,递归的出口则是调用步骤(2)的函数,其中,所述步骤(2)的函数为调用系统函数CreateDeviceEx的函数。(3) Construct a recursive calling function, which is used to construct the recursive calling stack to push the address obtained in step (1), and the recursive exit is the function of calling step (2), wherein the steps ( The function in 2) is a function to call the system function CreateDeviceEx. 2.如权利要求1所述的构造合法堆栈返回值绕过函数调用检测的方法,所述递归调用往堆栈中压入地址的次数大于等于5。2. The method for constructing a legal stack return value to bypass function call detection according to claim 1, wherein the number of times the recursive call pushes an address into the stack is greater than or equal to 5. 3.一种构造合法堆栈返回值绕过函数调用检测的系统,其特征在于,包括:第一模块、第二模块以及第三模块;3. A system for constructing a legal stack return value to bypass function call detection, characterized in that it comprises: a first module, a second module and a third module; 所述第一模块,用于查找进程的d3d9.dll模块的代码段中的任一连续两条汇编指令序列pop ebp,retn的地址,其中,在进程的d3d9.dll模块的代码段中查找汇编指令序列popebp,retn对应的16进制就是0x5D,0xC3,即d3d9.dll模块的代码段中查找连续的值为0x5D,0xC3的指令的地址,popebp是用于将堆栈中的值弹出到寄存器EBP中;retn是返回指令,用于从堆栈中弹出返回地址;The first module is used to find the address of any two consecutive assembly instruction sequences pop ebp, retn in the code segment of the d3d9.dll module of the process, wherein the assembly is searched in the code segment of the d3d9.dll module of the process The hexadecimal system corresponding to the instruction sequence popebp, retn is 0x5D, 0xC3, that is, the code segment of the d3d9.dll module searches for the addresses of consecutive instructions with the value 0x5D, 0xC3, popebp is used to pop the value in the stack to the register EBP middle; retn is a return instruction, which is used to pop the return address from the stack; 所述第二模块,用于构造调用系统函数CreateDeviceEx的函数,该函数用于构造系统函数CreateDeviceEx的参数,然后往堆栈中压入所述第一模块所找到的内存地址,并跳转到系统函数CreateDeviceEx;The second module is used to construct a function for calling the system function CreateDeviceEx, which is used to construct the parameters of the system function CreateDeviceEx, then pushes the memory address found by the first module into the stack, and jumps to the system function CreateDeviceEx; 所述第三模块,用于构造递归调用函数,该递归调用函数用于构造递归调用来往堆栈中压入所述第一模块中得到的地址,递归的出口则是调用所述第二模块中的函数,其中,所述第二模块中的函数为调用系统函数CreateDeviceEx的函数。The third module is used to construct a recursive call function, the recursive call function is used to construct the recursive call to push the address obtained in the first module into the stack, and the recursive exit is to call the address in the second module function, wherein the function in the second module is a function that calls the system function CreateDeviceEx. 4.如权利要求3所述的构造合法堆栈返回值绕过函数调用检测的系统,所述递归调用往堆栈中压入地址的次数大于等于5。4. The system for constructing a legal stack return value to bypass function call detection according to claim 3, wherein the number of times the recursive call pushes an address into the stack is greater than or equal to 5.
CN201610128818.0A 2016-03-08 2016-03-08 It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection Expired - Fee Related CN105808256B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610128818.0A CN105808256B (en) 2016-03-08 2016-03-08 It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610128818.0A CN105808256B (en) 2016-03-08 2016-03-08 It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection

Publications (2)

Publication Number Publication Date
CN105808256A CN105808256A (en) 2016-07-27
CN105808256B true CN105808256B (en) 2017-06-23

Family

ID=56466818

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610128818.0A Expired - Fee Related CN105808256B (en) 2016-03-08 2016-03-08 It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection

Country Status (1)

Country Link
CN (1) CN105808256B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106295325B (en) * 2016-08-12 2020-02-07 武汉斗鱼网络科技有限公司 Hook method and system for acquiring content of display card
CN106295326B (en) * 2016-08-12 2020-02-07 武汉斗鱼网络科技有限公司 Inline hook method and system for acquiring content of display card
CN107545182B (en) * 2017-09-06 2019-11-15 武汉斗鱼网络科技有限公司 Around the method and system of function call chain detection in a kind of IOS application
CN110245464B (en) * 2018-10-10 2021-08-27 爱信诺征信有限公司 Method and device for protecting file
CN113010855B (en) * 2019-12-18 2022-05-10 武汉斗鱼鱼乐网络科技有限公司 Method, device and medium for acquiring data and computer equipment
CN115145571B (en) * 2021-03-31 2024-11-08 武汉斗鱼鱼乐网络科技有限公司 Method, device and medium for hiding system function calls in program core code

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8984256B2 (en) * 2006-02-03 2015-03-17 Russell Fish Thread optimized multiprocessor architecture
CN101692206A (en) * 2009-08-28 2010-04-07 腾讯科技(深圳)有限公司 Method for adding dynamic parameters to static callback function and related realization
CN102651060B (en) * 2012-03-31 2015-05-06 北京奇虎科技有限公司 Method and system for detecting vulnerability
CN104298534B (en) * 2014-10-23 2017-10-24 广州华多网络科技有限公司 Programmed method and device based on Lua language

Also Published As

Publication number Publication date
CN105808256A (en) 2016-07-27

Similar Documents

Publication Publication Date Title
CN105808256B (en) It is a kind of to construct the method and system that legal storehouse return value bypasses function call detection
CN110675256B (en) Method and device for deploying and executing intelligent contracts
CN108829405B (en) Channel package generation method and device, storage medium and electronic device
CN103226583B (en) A kind of method and apparatus of ad plug-in identification
US9256515B2 (en) Stack trace compression
US8707286B2 (en) Unique context-based code enhancement
CN102799640B (en) Page charger and page loading method
CN104317599B (en) Whether detection installation kit is by the method and apparatus of secondary packing
KR101234591B1 (en) Method for Anti-Encoding Android by Using Java Native Interface
US9442725B2 (en) Branch trace compression
CN103530171A (en) Smart card virtual machine and implementation method thereof
CN108845839A (en) Application page loading method, device and computer readable storage medium
CN105468505A (en) Coverage test method and coverage test device
CN102099781A (en) Branch predicting device, branch predicting method thereof, compiler, compiling method thereof, and medium for storing branch predicting program
CN109408393A (en) Application testing method, device and equipment and computer readable storage medium
CN113961919B (en) Malware detection method and device
CN108279940A (en) A kind of module loading method and apparatus in web container
US9104402B2 (en) Branch trace compression
CN105205398B (en) It is a kind of that shell side method is looked into based on APK shell adding software dynamic behaviours
CN113987517A (en) Vulnerability mining method, device, equipment and storage medium based on Internet of things firmware
CN114282212A (en) Rogue software identification method and device, electronic equipment and storage medium
CN106650339A (en) Control flow complication-based Java code obfuscation method
CN114338102B (en) Security detection method, security detection device, electronic equipment and storage medium
US9842018B2 (en) Method of verifying integrity of program using hash
CN101794219A (en) Compression method and device of .net files

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170623